Our new website has detected an insecure browser, please read important information about your browserWhen using Assistive Technology this message will display due to lack of Javascript support and invalid IE/Chrome/Firefox user agent detection.

Security and Education

Did you know?

We consider it our responsibility to keep you safe and well-informed. This education center is designed to provide helpful banking and safety information. If you have additional questions or concerns after watching these educational videos and reviewing this information, please contact us for more details.

Please Note: Some Ad Block extensions may block displaying the video thumbnails below. If you do not see the thumbnails please add https://fflorain.bank to your exceptions list.

Online Banking Video

Enhanced Security Video

Identity Theft Prevention

Chip Cards

Online Bill Pay Video

FDIC Video

Customer Education: How we keep you safe

First Federal Savings is invested in keeping your financial information secure. We have specific procedures in place for contacting customers to keep your information and identity safe. The document below outlines the ways we will contact you, it also warns against providing account or personal information to outside sources. Please review this material and trust your instincts. Whenever something seems suspicious refuse to provide your information and contact us immediately at 800-589-8850.

Security and Privacy in the Connected Home

Stay cyber-safe with your Internet of Things (IoT) devices!

Did you ever wonder what it would be like to have a smart home? You could remotely change the temperature in your house, you could tell your lights to come on, or ask your refrigerator if you need to get milk at the grocery store, all from your smart home device or smartphone. You could play video games and access all your streaming services from one device, or know who is at your door from your connected doorbell.

The Internet of Things (IoT) is introducing these features into our homes by rapidly applying connectivity to everyday appliances and home features. As IoT devices become a part of our daily lives, and likely will become part of many more homes as holiday gifts, we need to take a look at the security risks and privacy concerns this smart technology introduces into our lives.

Personal Digital Assistants

Many people have a personal digital assistant like an Amazon Echo or Google Home. These devices analyze your past commands to try to anticipate your needs. These may also be linked to accounts used to purchase goods or services; make changes in your house such as turning off alarms, turning on the lights, or adjusting the temperature; or be linked to other accounts so they can tell you your schedule or read your email. Amazon Echo even has the ability to provide a pet-sitter with instructions, which is a give-away that you are not home.

Keeping these devices secure is especially important given that they may allow someone with access to the device to complete purchases using the owner’s accounts, identify key information, or find out more about you.

Smart Thermostats and Other Smart Home Devices

Many homeowners are beginning to opt for a digital thermostat that allows them to control the temperature in their home remotely using an app. While digital thermostats do come at a premium, the vendor also makes money on data it collects on usage and habits. Smart light bulbs and smart doorbells also allow for great levels of data collection by the manufacturer.

IoT manufacturers entice consumers with convenience and functionality by promising the world of the future through devices like those listed above. All the while, cybercriminals are finding that they can use these devices as pathways into your home network to steal your data and find out more about you. And yes, that includes using digital information to determine if the house is unoccupied and safe to rob.

Gaming Consoles

Sony PlayStation 4, Microsoft Xbox One, Nintendo Switch, and many other gaming consoles are in millions of homes across the United States. These devices rely on Internet connectivity to provide different forms of entertainment and include streaming video, interactive gaming, voice chat features, and apps that keep both the system and applications up-to-date. One major risk is that many gaming consoles require subscriptions and user accounts for accessing online content such as games and streaming services. This makes the console another device associated with an account that holds your personal and payment information for the purposes of renewing these subscriptions.

Here are a few tips to follow in building your smart home with IoT devices:

If you don’t need to connect a device to the Internet, don’t. If a device isn’t connected, it isn’t as big of a cybersecurity risk.

Isolate IoT devices from other devices on your network by creating a separate Wi-Fi network just for them. This protects your other devices if your connected IoT devices are compromised.

Research the privacy, security, and accessibility options that are available for customizing your device. You may find some options that provide greater security and privacy if you opt in. One example is that a device may offer multi-factor authentication (MFA) where you use your traditional password and username combination with the added step of receiving a verification code or providing a fingerprint through a scanner. If MFA is available, it’s worth using.

Always update your devices and apply patches when available. When selecting which IoT devices to purchase, ensure they offer patching and updates from the manufacturer to keep them up-to-date. Enable auto-updates on any IoT devices that support them.

Replace devices when they are no longer supported by the vendor, as security flaws will remain unpatched.

Turn off Universal Plug and Play if it is available on the device. You don’t want the device having this ease of connectivity with so little control.

When requested to provide information to use a device, do not provide personally identifiable information (PII), like Social Security Numbers and dates of birth. If you must share PII to use the device, you may want to consider a different make or model or keeping it off your home network.

Remember these tips over the holidays as you receive and give gifts. This will ensure you don’t give cybercriminals the holiday gift of your sensitive data!

The information provided from the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and customers to help educate them to behave in a more secure manner within their work environment or home While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.Personal environment.

Staying Secure While Shopping Online

Making #CyberMonday #CyberSecure

It is that time of year where so many people prepare to purchase gifts for friends, family, and loved ones. Though it can be convenient to avoid the lines and rush for that latest Black Friday deal by shopping online, this also carries some risk. Cybercriminals are always working to steal your personal and payment information and the holiday shopping season is the perfect opportunity for this to happen. By following a few key practices, you can greatly lower your chances of becoming a victim of identity theft or fraud.

Choose Trusted Online Retailers and Apps

Always shop only with trusted online retailers. That means using a retailer you already know or one that is verified through another trusted entity. If you find a new possible shop to do business with, but are unsure about its reputation, try to find reviews from trusted sources such as the Better Business Bureau. It is important to stick to trusted review sources because there are several ways to fake online reviews, and there are places where cybercriminals can pay other criminals to post positive reviews. Even though an untrusted site might have the best prices, it is worth it to use a trusted online shop that is known to safeguard your information and purchases.

The same advice applies when downloading apps to help with your online shopping. Whether you are downloading a store app to get a coupon, a deal aggregator app to comparison shop, or a reward app that ensures you get points or cashback, it is important to stick to trusted apps from known developers. Unfortunately, fake apps appear in the app stores, purporting to be from a trusted source while other apps exist to capture your data without providing the services they claim to support. You can avoid many malicious apps by downloading your apps from Google Play, Apple App Store, Microsoft Store, or another trusted platform, selectively choosing which apps to download, and making sure you carefully read the permissions and app reviews.

Secure your Device, Connectivity, and Accounts

Keep your devices up-to-date, especially those you shop and bank with – Simply updating the device that you use for conducting your online shopping is a key cybersecurity practice. By keeping the device up-to-date with current patches and software, you ensure you have the manufacturer’s latest security fixes in place.

Never use a public computer when shopping or banking – Using a public computer, like those found at libraries, can expose you to greater risk. It is best to use a trusted home device and network for anything involving financial transactions.

Never shop or conduct banking on unencrypted or public Wi-Fi– It is best to always conduct financial transactions or log on to sensitive accounts via a trusted Wi-Fi networks. Ideally, this should be from your home network, which should require a password and use WPA2 encryption.

Look for the lock icon on your browser - When a site has a lock icon on the browser window, or in the URL bar, it indicates that your communications with the site are encrypted. If you do not see a lock, look for “https” at the beginning of the URL, as this is the same thing as the lock.

Check out as a guest – By checking out as a guest, you prevent the online retailer from storing your personal account and financial information. This minimizes the amount of information that could be lost if the retailer is compromised. If you have or need an account with a retail website:

Use a strong password – Be sure to use a strong, unique password. Always use more than ten characters, with numbers, special characters, and upper and lower case letters.

Don’t save your payment information with retailers – If you have an established account with a retailer, do not store your payment information with them. In the case of an account compromise, stored payment information may allow a criminal to make purchases using your financial information.

Be Wary of Fraudulent Emails and Advertisements

Look out for suspicious or unexpected emails – A common tactic of cybercriminals year round is to send fraudulent emails seeking to get you to click a link or open an attachment. When it comes to this time of year, they may make an email look like it contains tracking information for a shipment or a promotion for a store. The link or attachment might download malware or try to get you to enter your user credentials in a convincing, yet fraudulent login screen, so they can steal your password. Always avoid clicking direct links in emails, and if you receive an email with a tracking number in it, head to the shipping carrier’s website in your browser and copy and paste the tracking number itself into the site.

Avoid clicking advertisements or pop-up windows of any kind – Advertisements embedded in websites and pop-ups have been known to be compromised by cybercriminals to distribute malware. It is best to avoid clicking them altogether.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

National Cybersecurity Awareness Month

The 15th annual National Cybersecurity Awareness Month (NCSAM) is here! October 1st kicked off this month-long campaign devoted to ensuring everyone has the resources they need to stay safe online. NCSAM is an effort co-led by the National Cyber Security Alliance (NCSA) and the U.S. Department of Homeland Security, and is championed by the Multi-State Information Sharing and Analysis Center (MS-ISAC).

Each week of October highlights a theme that contributes to that “Shared Responsibility” of online safety and security. In partnership with NCSA, below we have provided some tips for how to make the most of those themes and strengthen our individual and national cybersecurity!

Week 1: Make Your Home a Haven for Online Safety

Easy-to-learn life lessons for online safety and privacy begin with parents and caregivers leading the way. Family members may be using the Internet to engage in social media, adjust the home thermostat, or to shop for the latest connected toy. This makes it vital to ensure that the entire household ‒ including children – learn to use the Internet safely and responsibly, and that networks and mobile devices are secure. Three of NCSA’s top tips include the following:

Keep a clean machine: Keep all software on Internet-connected devices, including personal computers, smartphones and tablets, up-to-date to reduce risk of infection from ransomware and malware.

Lock down your login: Your usernames and passwords are not enough to protect key accounts like email, banking, and social media. Fortify your online accounts and enable the strongest authentication tools available, such as biometrics, or two-factor authentication.

Share the best of yourself online: Before posting online, think about what others might learn about you and who might see it in the future, such as teachers, parents, colleges, and potential employers.

Week 2: Millions of Rewarding Jobs: Educating for a Career in Cybersecurity

A key risk to our economy and security continues to be the shortage of cybersecurity professionals to safeguard our ever-expanding cyber ecosystem. There are limitless opportunities for students and individuals looking for a new career or re-entering the workforce. Here are some tried and true tips for cyber job seekers at any age:

Get Credentialed: Four out of five cybersecurity jobs require a college degree. Certifications can also be valuable to display your specialized knowledge. DHS offers free online, on-demand courses through the Federal Virtual Training Environment that provide great learning opportunities for veterans.

Get Involved: Test the waters through volunteer work and internships. Offer to help technical professionals at your school or workplace to gain experience. You could even consider joining local clubs or groups, such as those on MeetUp. (Remember to be safe when meeting people or going to new places!)

Keep Up with the Buzz: Follow top cybersecurity personalities on Facebook, Twitter, LinkedIn, and news websites and blogs.

Week 3: It’s Everyone’s Job to Ensure Online Safety at Work

When you are on the job, your organization’s online safety and security is also part of your responsibility. NCSA’s CyberSecure My Business™ will be a cornerstone for Week 3. The program is a series of in-person and highly interactive workshops based on the NIST Cybersecurity Framework to educate the community about:

Additional components include monthly webinars, online portal resources, and monthly newsletters summarizing the latest cybersecurity news. NCSA has also created a Cybersecurity Awareness Toolkit, for small and medium businesses which is packed with easy-to-use tips and practical information.

Week 4: Safeguarding the Nation’s Critical Infrastructure

Our daily lives depend on 16 critical infrastructure sectors, which supply food, water, financial services, public health, government services, communications, transportation, and power along with other critical functionality. A disruption to this system, most of which is operated via the Internet, can result in significant and even catastrophic consequences. Week 4 will highlight the roles the public can play in keeping it safe. Two easy tips everyone should practice to help protect the country’s critical infrastructure are:

When in doubt, throw it out:Links in email, tweets, posts and online advertising are often how cybercriminals try to compromise your information. If it looks suspicious, it’s best to delete it.

Safer for me, more secure for all: What you do online affects everyone. Good online habits help the nation’s digital community.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

Avoiding Many Types of Malware

From the MS-ISAC Group

Every day as we use our devices, browse the Internet, and open emails, we are also exposing those devices to potential malware (malicious software). Malware is any software that is designed to cause damage to and/or unauthorized access to devices or networks. Malware comes in many forms, all of which can have negative effects for your device and for you. With a little extra vigilance, and some good habits and practices, you can greatly reduce your likelihood of having a device infected with malware and can minimize the impact to your device, data, and life, in the event that it does become infected. Below we will explore a few common types of malware and their impacts, as well as some tips and practices that can help you as you go about your connected life.

Common Types of Malware and Their Effects

Ransomware – Ransomware is malware that stops you from being able to access your files, usually by encrypting them, and then requests payment to decrypt the files, restoring your access. Most commonly, ransomware asks for payment in bitcoin, which is a popular cryptocurrency. Unfortunately, paying the ransom does not guarantee restoring access to your files.

Trojan Horses (a.k.a. trojans) – This malware takes its name from the classic story of the Greek army sneaking soldiers into the city of Troy hidden inside a large wooden horse. Trojans of the malware variety behave in much the same way, by appearing to be legitimate apps or software that you want to install. Some trojans allow an attacker full access to your device, others steal banking and personally sensitive information, and others are simply used to download additional malware, like ransomware.

Keyloggers – This type of malware records your keystrokes and sends them to a cyber threat actor, giving them access to your usernames, passwords, and any other sensitive information you have entered using your keyboard. With this information, the cyber threat actor can access your online accounts or commit identity theft.

Tips and Practices for Avoiding and Surviving a Malware Infection

Update and patch your devices and software. Vendors release updates and patches in order to fix security issues, not just to fix functionality! Many types of malware can be foiled by keeping your software up-to-date by accepting the updates when you get a notice about them.

Never click suspicious or untrusted links. Even if the URL comes from a company or person you know, it is always safest to manually type in their URL. At the least, hover over the link to discover where it’s really sending you, as some malicious actors send emails that look convincing. This advice is also true for links in emails, documents, and on social media platforms, as malicious links are commonly posted to such sites. For more information on spotting suspicious emails and checking URLs, head to our past newsletter on this topic.

Only download from trusted sources. When looking to download an app or software, only do so from a trusted vendor or source. On mobile devices, ensure that you only download apps from the Google Play store and Apple App Store, which are the trusted sources for Android and iOS devices.

Backup your data and be sure the backups are good! Backing up your data, whether by doing a complete backup of your whole device or just key files, is the best way to protect those important files and pictures against ransomware and other data loss. For best practices and more information on backups, please reference our recent newsletter on this topic.

Use antivirus and other protective software on your device. If your computer or router has built in protections like antivirus or a firewall, ensure you have those enabled. Otherwise, buy or download an antivirus product from a trusted vendor. This is important for both your computers and your smartphones!

Configure your devices with some security in mind. By setting up your devices with some basic security settings enabled, you will not only protect against some malware, but against other forms of malicious activity and access. For tips on configuring your devices, please see our past newsletter on this topic.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

From the, MS-ISAC GROUP

We all know it happens – our home computers crash, malware infects them, or somebody downloads that cool, new program that crashes everything! While there are many tips and tricks of great value for preventing your devices and data from being compromised, it is important to also have a backup of your information in case something goes wrong.

Backups are copies of key information or data that are stored separately from your device. By storing these separately, you can restore your data or device using these backups and get right back to full working order. With threats of Ransomware, which encrypts and renders your personal files inaccessible, this is a real concern. Below we will explore some key concepts on creating and will provide resources that assist you in making decisions on how to best create this essential type of redundancy in your life.

Choosing what to backup

When thinking about a backup system the first thing to decide is how much you want to backup. Are you okay storing key documents, pictures, and files or do you want your full system backed-up? If you’re concerned about rebuilding a full system, and having all the license information to make it functional, then you probably want a more complete backup option. If you just want to protect important files, then a system where you choose what to save would work well.

How can you create a backup of just key files?

If you are looking to store copies of your important files, you can copy them to your preferred method of backup periodically. This is accomplished by selecting the folders or files you want to backup, and copying them to the storage device or media. This is made especially easy if you make a habit of organizing your important files into just a few folders. This is a very simple and easy approach, and guarantees that your tax documents, digital receipts, pictures, and other important records remain available.

How can you create a complete backup of your device’s data?

If you are looking to create a more comprehensive backup, your devices likely have utilities built in that allow for easy creation of backups. These may allow you to set a complete copy of your device’s data aside that would allow you to restore it to full working order following an infection or issue. Seek out guidance or tips from your device’s vendor to determine what utilities are available to you for creating backups. The Stay Safe Online guide linked below has links to top vendor’s backup guides that can assist you through the process.

Choosing where to store your backed-up data

Regardless of what you want to save, one of the key ways to keep your backed-up data safe, is to disconnect the storage media after you make the backup. This is important in the event that you are infected with malware. You do not want copies of data to also be infected. (Ransomware does look for backups to infect.)

This also helps in case your device or where you store it is lost, stolen, or physically destroyed. Keeping a separate backup on a different physical storage device, or in the cloud, is a way to better secure your data from this type of problem.

Cloud services for storing backups can be a convenient solution, though they may come at a cost and some individuals may not like the fact that they will not have a copy in hand on physical storage media. Having the backup outside your immediate possession can be helpful if you are concerned about a physical problem, such as loss or damage. Some of these services save multiple versions of your backup, which better secures against infected files corrupting the cloud backup.

External hard drives or removable media (DVDs, USB drives, etc.) are the other most common option. You simply need to copy the data you want to save to the external hard drive or media chosen.

Consider keeping the external drive disconnected and in a separate location from your devices while not making backups, as this insures against malware getting on the backup copy.

How often should you back up files and systems?

The frequency with which you back up your data or systems is an important component of this process. Consider making your backups on a weekly basis, with a minimum frequency of monthly backups. Your decision will be influenced by how often you update your data.

In conclusion, spend time considering how vital the data on each of your devices is. Then consider the best type of backup strategy for your needs and base a timeline of how frequently you make the copies off those needs as well. By adding this simple process to your safe computing habits, you can build in more reliability and recoverability. If you are ever the victim of a malware infection or cyber-attack, you will surely be glad you took the time to make backups!

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS

From the Information Security Office

This month, in partnership with the National Cyber Security Alliance, we aim to provide some valuable tips on staying cyber safe while heading on a summer vacation. Whether you are out exploring or relaxing, it is important to strive to be as secure as possible with your digital devices and information. Unfortunately, travel can open you up to different points of vulnerability compared to normal everyday use at home, and we don’t just mean accidentally going swimming with your cell phone. You see, while traveling you are operating outside of your normal, safe routines. This means using your devices on different networks and putting them down in different locations, including under your beach towel while swimming. By following some smart practices, you can connect with greater confidence during a summer escape.

Getting Ready to Go:

Avoid mayhem and make magical family memories by taking a few simple cyber safety steps before you head out of town. The goal here is to prepare your devices for travel and to keep them from being used against you.

Keep a clean machine: Before you hit the road, make sure all security and critical software is up-to-date on your mobile devices and keep them updated during travel. These protections are your best line of defense against viruses and malware.

Lock down your login: Your usernames and passwords are not enough to protect key accounts like those you use for email, banking, and social media. Fortify your online security by turning on multi-factor authentication, commonly referred to as two-factor authentication, when available. This typically pairs your username and password (i.e. something you know) with a message sent to your phone (i.e. something you have) or your fingerprint (i.e. something you are).

Password protect: Use a passcode or security feature like a finger swipe pattern or fingerprint to lock your mobile device. Also set your screen to lock after a short period of time by default. If you do choose to use a finger swipe, make sure it has at least one turn (preferably two) and that a pin code has at least 6 numbers!

Think before you use that app: New apps are tempting! It is important to always download new apps from only trusted sources like the Apple App Store or the Google Play Store. Additionally, consider limiting your app’s access to services on your device, like location services.

Own your online presence: Set the privacy and security settings on social media accounts, web services, and devices. It is okay to limit how and with whom you share information – especially when you are away. Do not post of your pending vacation destination on social media. That information is an open invitation for trouble.

While on the Go:

Once you and your gang are at your destination, you are in new territory and are facing new potential cyber threats. Here are some ways you can keep up secure practices while out and about.

Get savvy about what you do on other peoples’ Wi-Fi and systems: Do not transmit personal info or make purchases on unsecure or public networks. Instead, use your phone carrier internet service for these needs. For laptops/tablets, it is easy to use your phone as a personal hotspot to surf more securely using carrier data. Also, never use a public computer or device to shop, log in to accounts, or do anything personal.

Turn off Wi-Fi and Bluetooth when idle: When Wi-Fi and Bluetooth are on, they may connect and track your whereabouts. Only enable Wi-Fi and Bluetooth when required, and disable your Wi-Fi auto-connect features.

Protect your $$$:Be sure to shop or bank only on secure sites. Web addresses with ‘https://’and a lock icon indicate that the website takes extra security measures. However, an “http://” address indicates your connection is not secure (not encrypted) and you should not transmit payment or sensitive information over to such a site.

Share with care: Think twice before posting pictures that signal you are out of town. Knowing you are away from home is a great piece of information for a criminal to have and they may target your home for physical crime. Also consider limiting your social media apps’ access to location services on your device, and omit location information while making your posts and sharing your pictures.

Keep an eye on your devices: Laptops, smartphones, and tablets are all portable and convenient, making them perfect for a thief to carry away! Keep your devices close to you and hold onto them if strangers approach you to talk, as a common scam consists of a stranger distracting you and placing a map or newspaper over your device and walking away with it when finished talking.

Know your destination’s laws: If you are heading out of the country, check up on any specific laws on internet and device usage. Additionally, bring as few devices as possible and consider using a device specifically purchased for international travel.

Armed with these tips and practices, you should have a happy and cyber safe vacation ahead of you. To learn more about staying cyber safe and secure while travelling, head to the MS-ISAC’s Security Primer covering this topic. For more information on NCSA, including countless resources on staying cyber secure, please visit staysafeonline.org.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

From the MS-ISAC Group

The Federal Trade Commission’s definition of phishing is “when a scammer uses fraudulent emails or texts, or copycat websites, to get you to share valuable personal information.”[1] When a user falls for a phishing message, the malicious actor achieves their purpose of getting the victim to hand over sensitive information such as login names and passwords. Though we count on technologies and controls to minimize threats, phishing exploits users through social engineering, which allows the malicious actors to side step these protections. This is why it is important that everyone learn to spot these fraudulent messages. Let’s take a look at some example emails of phishing messages.

Message #1

Subject: Low Cost Dream Vacation loans!!!

Dear John,

We understand that money can be tight and you may not be able to afford to go on vacation this year. However, we have a solution. My company, World Bank and Trust is willing to offer low cost loans to get your through the vacation season. Interest rates are as low at 3% for 2 years. If you are interested in getting a loan, please fill out the attached contact form and send it back to us. We contact you within 2 days to arrange a deposit into your checking account.

In this message, you can see that the phisher wants to give us a low cost loan with no credit check. They say we just need to send them our information and they will give us money, right? Not only does it seem too good to be true, but also when you hover the cursor over the email address to examine it further, you see that the link actually has a different destination. It is the email address of the attacker.

Message #2

Subject: Free Amazon Gift Card!!!

Dear Sally,

You name has been randomly selected to win a $1000 Amazon gift card. In order to collect you prize, you need to log in with your Amazon account at the link below and update your contact information so we can put your prize in the mail. This is a limited time offer, so please respond to the request within 2 business days. Failure to respond will forfeit your prize and we will select another winner.

Aside from this seeming too good to be true, you can see that “Amazon” is misspelled as “Amozan” on the link provided. If you read this quickly, you may think you are responding to the real company to get your gift certificate. In reality, you are providing your information to the attacker. For the purposes of this example, the link actually navigates to the Center for Internet Security, which is a trustworthy site.

Following changes to our Microsoft email systems, each user must authenticate their account to prevent it from being deactivated. You can accomplish this by heading to the link below and entering your Microsoft Outlook email account credentials, and then we will know your account is active and should remain so.

This email is fairly well crafted without errors. Note that it establishes a sense of urgency that the malicious actor hopes will cloud your judgement and threatens the deactivation of your email account. Additionally the link at the bottom looks like a link to Microsoft, yet it is in fact heading somewhere else! Luckily, for the purposes of this example, that link simply leads to the Center for Internet Security, which is a legitimate site.

With these three examples considered, here are some basic recommendations to help protect you from becoming a phishing victim:

If it seems too good to be true, it probably is;

Hover your cursor over links in messages to find where the link is actually going;

Look for misspellings and poor grammar, which can be good signs a message is a fraud;

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.

Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

From the desk of Thomas F. Duffy, MS-ISAC Chair

While spring cleaning your home and, if you’re like me, the top of your desk, consider also cleaning up your information footprint. Your information footprint is how much information about you is recorded and available in both digital and paper formats. Cleaning up your footprint can mean examining social media, online accounts, and even paper records containing sensitive information. While we may use a few key digital devices and services on a regular basis, they often contain more information about us than is necessary. It’s also likely that devices and services we don’t use anymore may still contain information. You might have that pile of paper you’ve been meaning to shred for a while, making this an opportune time to spring clean your information footprint. By spending a little bit of time and effort, you can better secure your information to safeguard against various forms of identity theft.

Disks, Hard Drives, and USB drives, Oh My!

Over the years, it’s easy to accumulate a mass of CD’s, DVD’s, hard drives, and USB drives that are no longer needed or with data that is no longer needed stored on them. If you have hard drives or USB drives with old data but want to continue to use them, consider following US-CERT’s guidance on how to securely clean the data off of these items before properly recycling them. Many shredders, including those rated for home use, can shred CDs and DVDs. If your shredder can’t handle them, check your local community for shredding days as many towns, schools, and office supply businesses will sponsor shredding events.

Clean Up Your Paper Trail

Many of us have a large quantity of paper documents that may contain sensitive information about ourselves, financial accounts, government identification information, tax returns, and more. Take some time to go through these documents this spring and check whether it is something you truly need to hold onto. If the answer is no, be sure to securely dispose of it by shredding it and recycling the shredded pieces. Simply ripping up sensitive documents is not enough to guarantee your information is unreadable.

Not sure how long you should hold on to those old documents? The Federal Trade Commission (FTC) has a handy website – “A Pack Rat’s Guide to Shredding” with information on how long you should hold on to those documents!

Closing Old Online Accounts

It is common for people to use many different shopping sites, social media outlets, online storage, clubs, and other online outlets that require you to enter, store, and sometimes share information from or about you. If you are no longer using any of these accounts, consider removing information that may be sensitive and consider closing them out if you do not plan to use them again. Sometimes, it is easiest to check out as a guest when shopping online at a place that you rarely, if ever, patronize. Checking out as a guest should minimize the data retained about you.

Old Social Media Accounts

Remember MySpace? LiveJournal? Do you still have that old email account or an account on an old dating website? As we move from Myspace to Facebook to Twitter, Instagram, and the other latest and greatest social media platforms, our old accounts and information are left behind, filled with personal details. Consider closing out social media accounts that you no longer use, as it will reduce your digital footprint. Keep in mind that all social media platforms have different policies when deleting old accounts and content. Be sure to read the policy. And, don’t forget to remove the app from your smartphone, too!

Oversharing on Social Media That You Do Use

If you frequently use a social media or online account but it contains lots of personal details or information that you now think should be safeguarded more closely, consider removing it from your profile or deleting the posted content. Think about if the information you continue to share could be used against you or combined with other information to be used against you. Enough pieces of personal information combined together can be very useful to cybercriminals.

Being aware of any information that you share that could be used to respond to “Challenge” questions, which are frequently used to reset passwords. What does that mean? How could information be combined to be used against you? Think about your online bank account. If you forget your password what types of questions do they ask? Probably something about the color of your car, your mother’s maiden name, your birthday, or pets’ names. Did you post a picture of your new car? Friend your mother or her brother on social media? Answer a meme about your birth month and day? Share adorable pictures of Fluffy? If you did, you’ve helped someone find out the answers to your bank’s security questions!

This is the case for many of the pieces of information you may share online and many online accounts that use challenge questions to reset passwords. Information commonly used for challenge questions include the above examples and other details, such as your favorite sports team, vacation spot, fruit, ice cream, type of reading material, youngest sibling, elementary school name, and so on. As you clean up your data think about what information could be used to answer your security questions and try to remove that data from your social media accounts.

In closing, these short tips can make a world of difference in lowering your information’s exposure to others. By questioning if you need to share or provide certain information online as you move forward, you can save yourself from many of the unnecessary overexposures we discuss here. Additionally, by taking a look at both your digital and paper trails to do these activities on a routine basis, you can be sure to keep overexposure in check.

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

January 28th is National Data Privacy Day, an educational initiative focusing on raising awareness among businesses and individuals about the importance of protecting the privacy of personal information. With more and more information being collected by companies, websites, and social media, this is something everyone should consider.

To understand the importance of Data Privacy day, it is vital to understand Personally Identifiable Information (PII) and exactly what privacy is. PII is any combination of data points that can lead to the identification of a specific individual (you). This can mean things such as your name or email address, but most times PII refers to “sensitive PII” such as Social Security, driver’s license, state identification, or financial account numbers. Sensitive PII can also exist if PII is combined with another piece of information about you such as a birthdate, medical information, or even passwords. The more pieces of data combined about an individual, the more valuable and sensitive the body of information becomes.

Privacy is often considered to be the concept of confidentiality, which is keeping information secret from those that should not see it. While that is an aspect of privacy, often called “need to know,” privacy is much more. Privacy is a larger concept centering on you as the individual to whom the information refers. It is about your rights to access, correct, and control the information that another entity has about you.

Privacy Rights:

Organizations that honor your privacy will not only protect confidentiality, but should follow a set of principles related to how they manage your information, including:

Not collecting more information than they need to conduct their business with you;

Informing you of what they will do with the information that they collect and not doing more with it than they have promised;

Retaining the information for only as long as it is needed and then properly destroying the information;

Not sharing your information with others without your permission, except as required by law;

Allowing you to review and correct information if necessary.

To understand your privacy rights it is essential that you read the privacy policies of any organization to whom you provide information, especially PII. This includes websites, health care providers, insurance companies, and financial institutions. If you do not agree with how they intend to protect your privacy, consider not using their service.

Privacy is a Shared Responsibility:

While organizations and websites have a responsibility to protect your privacy, which most will outline in their privacy policy, this is also your responsibility. Social media users are especially susceptible to privacy concerns. Individuals voluntarily place enormous amounts of information about themselves, their friends, and associates, on social media. It is critical that everyone is aware of the information they post on social media services, such as Facebook, LinkedIn, Instagram, Snapchat, and Twitter. This awareness is not limited to what you post about yourself, but what you post about others as well!

Identity Theft Protection:

Despite many organizations best efforts in handling and using your private information properly, the countless breaches of PII by cyber criminals in the past few years have resulted in the exposure of information about millions of people. One reaction to such breaches can be to provide credit monitoring for one year. This is a very short amount of time to have such a protection. Those that have stolen the information, or those to whom they have passed it on, may hold it for much longer than a year before using it to steal your identity, commit credit card fraud, or worse in your name. If you have been a victim of a breach, check out some of the FTC’s resources on starting a credit freeze to protect yourself.

If you are considering Identity Theft protection services, research the firms that you are considering engaging and ensure you understand the services they will and will not provide. Also, read their privacy policies, because for them to deliver these services you must provide them with varying amounts of PII.

Protecting privacy is both your responsibility and that of those individuals and organizations that have information about you. Do everything in your power to be aware of how you personally can compromise your privacy and hold those organizations that you engage with accountable for their management, or mismanagement, of your personal information.

For More Information:

The information provided in the MS-ISAC Monthly Security Tips Newsletter is intended to increase the security awareness of an organization's end users and to help them behave in a more secure manner within their work environment. While some of the tips may relate to maintaining a home computer, the increased awareness is intended to help improve the organization's overall cyber security posture. This is especially critical if employees access their work network from their home computer. Organizations have permission and are encouraged to brand and redistribute this newsletter in whole for educational, non-commercial purposes.Disclaimer: These links are provided because they have information that may be useful. The Center for Internet Security (CIS) does not warrant the accuracy of any information contained in the links and neither endorses nor intends to promote the advertising of the resources listed herein. The opinions and statements contained in such resources are those of the author(s) and do not necessarily represent the opinions of CIS.

We are providing these instructions as a courtesy only. We cannot and will not provide any support beyond providing these written instructions. Do not call for technical support.

Even with these recommendations, you the consumer must remain vigilant and suspicious of requests for information in order to protect yourself. Be very careful and report all suspicious activity to FFSL immediately.

SALEM, Ore., January 25, 2017 – As the 2017 tax season gets underway, the Oregon Bankers Association (OBA) is urging all Oregonians to take extra precaution when filing their return to prevent their exposure to tax fraud.

“Fraudsters are using very clever tactics to get a hold of your personal information and submit false tax claims,” said OBA President and CEO Linda Navarro. “Consumers must be suspicious of any communication from the IRS – through email, text or social media – that requests personal information, and should keep a watchful eye out for missing W-2s and mail containing sensitive financial information.”

Tax identity fraud takes place when a criminal files a false tax return using a stolen Social Security number in order to fraudulently claim the refund. Identity thieves generally file false claims early in the year and victims are unaware until they file a return and learn one has already been filed in their name.

To help consumers prevent tax ID fraud, the OBA is offering the following tips:

File early. File your tax return as soon as you’re able giving criminals less time to use your information to file a false return.

File on a protected Wi-Fi network. If you’re using an online service to file your return, be sure you’re connected to a password-protected personal network. Avoid using public networks like a Wi-Fi hotspot at a coffee shop.

Use a secure mailbox. If you’re filing by mail, drop your tax return at the post office or an official postal box instead of your mailbox at home. Some criminals look for completed tax return forms in home mailboxes during tax season.

Find a tax preparer you trust. If you’re planning to hire someone to do your taxes, get recommendations and research a tax preparer thoroughly before handing over all of your financial information.

Shred what you don’t need. Once you’ve completed your tax return, shred the sensitive documents that you no longer need and safely file away the ones you do.

Beware of phishing scams by email, text or phone. Scammers may try to solicit sensitive information by impersonating the IRS. Know that the IRS will not contact you by email, text or social media. If the IRS needs information, they will contact you by mail first.

Keep an eye out for missing mail. Fraudsters look for W-2s, tax refunds or other mail containing your financial information. If you don’t receive your W-2s, and your employer indicates they’ve been mailed, or it looks like it has been previously opened upon delivery, contact the IRS immediately.

If you believe you are a victim of tax identity theft or if the IRS denies your tax return because one has previously been filed under your name, alert the IRS Identity Protection Specialized Unit at 1-800-908-4490. In addition, you should:

There is a new scam you need to watch out for if you log into any of your accounts and have to wait for a text message sent to your phone to enter and only then log in. This more secure system is called "2-factor authentication". These two factors are:

one thing you need to know-- your password

one thing you have to have-- the text code on your phone

Now, criminal hackers are trying to get past this with a nasty trick you need to watch out for. Tens of millions of hacked user names and passwords have recently surfaced -- yours may be one of them -- and they are using these for this scam.

They send you a fake (spoofed) text that looks like it's from the company you have an account with, claiming that your account may be hacked or that there is suspicious activity happening.

In the same text they say they will send you your verification code and that you need to send that right back to them or your account gets closed. But if you text that verification code back, you have given the hacker just the thing they needed to hack into your account!

TIP TO STAY SAFE

If your accounts are protected by 2-factor authentication of this sort, the only time you will be sent the code is to verify an attempt to log into your account. That means if you did not just try to log in and you suddenly receive a verification code through a text message to your smartphone, it is because a scammer who already has your user name and password is trying to hack into your account.

Never provide your verification code to anyone. Only use it to input the code into your smartphone or computer when you log into a 2-factor authentication protected account. And as a reminder, never give out personal information, such as your Social Security number or credit card numbers in response to a text message (or email) because you simply cannot know for sure who is really on the other end of that communication line.

Customers have been receiving calls from individuals claiming to be from banking institutions. The callers are telling customers that their Debit Card has been compromised in an attempt to get information from them. From the information that we have received it appears that the call system is automated and usually appears as an "Unknown Number".

If you feel you have received one of these calls, please contact our Electronic Banking department (440) 282-6188 to report it.

Please remember that we will never contact you by phone, if your card is compromised. You will be notified by mail. Additionally, we will NEVER ask you for your full card number, account numbers, social security number or any other personal information over the phone.

Identity thieves are sending text messages to Ohio residents asking them to call their bank to reactivate debit/credit card accounts. The phone number used connects to a fraudulent group that steals card information. They try to make the phone number look local to your area. Often, the target of the text may not even have an account at the bank listed in the message. This is a nationwide scam. Notify your bank and the bank referenced in the message immediately, if you receive one of these text messages.

Mobile Banking

Leaving fflorain.bank

You have clicked on an external link and are leaving this website. Linked web pages are not under the control of this institution, its affiliates or subsidiaries. The institution provides such links as a convenience and is not responsible for the content or security of any linked web page.

You are now leaving First Federal Savings and Loan Association of Lorain and going to ameriprise.com

Ameriprise.com is not owned or operated by First Federal Savings and Loan Association of Lorain and has its own privacy policy and terms of use. We encourage you to read through both and familiarize yourself with the site before completing a transaction. First Federal Savings and Loan Association of Lorain is not responsible for the availability or content of this site on ameriprise.com and does not represent either Ameriprise Financial, Inc. or you, should you enter into a transaction.